GDPR For Florist & Flower Shop Owners

Philipa Jane Farley recently spoke at our Shouting Above The Crowd – A Business Conference for Florists on June 10th 2018

These are just some of the points Philipa Covered on the day


All Flower businesses must have an Internal Data Protection Policy

            This is a formal document

            It includes your processes for collecting and processing data

All Flower Business Must Have A Privacy Policy or A Privacy Notice

            Plain Simple English

            Details what Data your collect

            What are you doing with the Data

            How Long are you holding the Data for?

            Who else has access to this Data

If you take any details of any person online/ by email / in writing – they must tick to accept your privacy policy

If you have no Online presence you must have a hard copy privacy policy available for those that wish to see it.  Make them aware you have it available


Subject Access Request

When a customer / staff or any person requests what personal data if any you have  about them

Paper – Digital – Film (cctv) – photo – email conversations concerning them (if they are identified)

You have 30 days to collect any data about present it to them.

Beware of internal or external emails about any person – if a staff member leaves and tells a person you were talking about them internally, they can do a subject data request, if you don’t include those conversations that they are aware are there, it is a €50000 fine or 5 years in jail   - (don’t talk about people in a recordable way )



Your supply chain – When you need to pass on a person’s data to a third party,  this information also needs to be included

            Your delivery person will have the personal data of the recipient of a bouquet of flowers

            Your website person / company have access to any data collected on your website

            If you have recordable CCTV in your shop you may have visual data of your customers


Go through with your staff the process of a bouquet of flowers being processed

Phone Order – Write Down Details in Book – Pass details of flowers to staff member- prosess credit card payment – Write the address of the recipient on the card – pass the order to the delivery driver, who will deliver the flowers

At least 3 people have handled the data of the recipient of the bouquet of flowers

Now what happens to this data??

The Note book? 

Credit Card Information must be shredded immediately the order has been processed

Senders Information may be entered into the computer until the Flowers Have been delivered – part of your policy should state senders of flowers details will be kept on file for 7 days, just in case there is and issue with the order – after 7 days it must be deleted

Recipients Information – this information may be entered on the delivery docket, the delivery card – the delivery driver must sign a privacy agreement not to share the information in the docket or cards.  The driver should confirm that they return the docket to you for shredding or that they will shred it themselves.

Recipients information on the computer and kept on file for 14 days in case there is an issue then thrashed.

How long you decide to hold onto the Data is entirely up to you, only you can decide what works best for your business, but the length of time must be stated in your privacy policy

You must be able to justify why you are holding the information for a length of time.

Best Practice for Flower Shop Delivieries

Delivery Driver has a Numbered List, each number correlates to the recipients address and phone number, this number is on the delivery envelope

The is no data on show, in the shop as the bouquets are lined up or in the delivery Van

There is now only 1 page with customers data – easier for destroying


Keeping Data For Revenue Purpose

Only keep what revenue need to know

            They don’t need to know the name and phone number of the wedding couple

            They don’t need to know who sent a bouquet of flowers

            They don’t need to know who received flowers from your shop

What Revenue do need to know is

The amount of flowers bouquet in for a wedding, how much they cost and how much they sold at and if there was any waste

How much flowers were bought in?

How many bouquets were sold


Best Practice for Record Keeping for Weddings 

In your wedding Orders keep two job cards

One with all the personal information needed for the wedding, Couples Names, Contact Details

One with the flower order, the date of the wedding the location of the wedding

If you policy is that that your delete personal wedding data after 12 months, you just delete the job card with the personal details, if you wish to keep the other for revenue / for reference, this job card has no personal information on it.

It is advised that GDPR is initially going to add 20-30% extra time to processing orders etc until staff become more familiar with it, this will reflect in your profits

Data Breech

What is a data breech?

Losing a file with a customer’s personal data on it

Leaving a bouquet of flowers on display in the shop with a customer’s delivery details on it

Having an order book in the shop that can be seen by a member of the public

Having a list of deliveries on the seat in a van for people to see

Repeating a person’s personal details back to them over the phone while someone else can hear

Hacking of an email account / website

Losing your phone/ tablet / laptop

Taking a customer order while there is someone else in the shop -

Talking about a customer order to non-staff members

Data Breech Form Can Be Found Here 


Best Practice for a Flower Shop or Florist to protect customers data.

Keep all data that you are carrying with you in a lock box in your van, or a locked brief case

Use Delivery Numbers on Bouquets on display in your shop – no names or addresses on cards

Have a consultation area to take bookings or ask the customer if they are happy to discuss and give their details in a public area

Print up a form that the customer can fill in her details herself in private if she wishes

Ensure your delivery van / driver has a locked place to store delivery addresses

Emails conversations you need to keep on file – (wedding bookings) save as pdf and delete the emails. Do this regularly, each customer as a file and it is dated, you will then know when you need to thrash it

Get into the habit of NOT repeating back credit card numbers / phone numbers and addresses. Ask the customer to repeat instead.

Have the facility on your phone / tablet / laptop to be able to wipe it remotely

Do not say anything about anyone that you don’t want them to see if they request their data from you.


Check out the

Some questions that were asked by florists attending the day

A customer orders a bouquet to be sent to someone anonymously, if the recipient want details of who sent it do we have to tell them?

Yes we absolutely do, they need to know where you got their data to send them flowers

Iv lost my phone, but I could wipe it immediately, do I need to notify my customers ??

No, you have removed the breech by deleting it immediately

My staff member has opened her own business and has taken a copy of the some of my client’s data.

If she has signed a contract which included agreeing to your privacy policy, you can take legal action against her, but you will still have to notify all of your customers of the data breech and the action you are taking.

How should myself and my staff take credit card numbers over the phone.

Do not repeat back any of the customers data or card numbers, ask the customer to repeat the information to you to confirm details.

Someone has emailed me about a wedding booking, I email her back the details and quotations.  Can I follow up in a few weeks’ time on this enquiry.

Yes, but don’t save the information in the emails, save it to a pdf in a folder for follow up in one months’ time.  Delete the client’s details from your email – (in case of data breech) One month later go to your pdf folder and send her a follow up email, If she does not reply, good practice would be to delete this contact and any personal data.

I have a mailing list for my customers that I have had for years, can I still email them with offers?

Yes, you can, but use a mailing package like Mailchimp which gives the customer to Optout and no longer receive emails from you. It is hard to keep a record of this on an excel sheet so using Mailchimp is great, it is free for up to 2000 emails


Philipa gave a great tip to us all – if you send an email to someone would they be surprised to get that email?  Would they wonder where that email came from?  Would they wonder how you got their email address?  If they answer yes to any of these, you a breaking GDPR laws.

Only email or text those who want to hear from you, but always give the option to Opt Out